WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
To view the documentation for a specific Apereo CAS server release, please choose an appropriate version. The release schedule is available here.SAML2 Authentication
CAS can act as a SAML2 identity provider accepting authentication requests and producing SAML assertions.
If you intend to allow CAS to delegate authentication to an external SAML2 identity provider, you need to review this guide.
This document solely focuses on what one might do to turn on SAML2 support inside CAS. It is not to describe/explain the numerous characteristics of the SAML2 protocol itself. If you are unsure about the concepts referred to on this page, please start with reviewing the SAML2 Specification.
Federation Interop Evaluation
The CAS project strives to conform to the SAML V2.0 Implementation Profile for Federation Interoperability. An evaluation of the requirements against the current CAS release is available here. It is recommended that you view, evaluate and comment on functionality that is currently either absent or marked questionable where verification is needed.
SAML Endpoints
The following CAS endpoints respond to supported SAML2 profiles:
/idp/profile/SAML2/Redirect/SSO/idp/profile/SAML2/POST/SSO/idp/profile/SAML2/POST-SimpleSign/SSO/idp/profile/SAML2/POST/SLO/idp/profile/SAML2/Redirect/SLO/idp/profile/SAML2/Unsolicited/SSO/idp/profile/SAML2/SOAP/ECP/idp/profile/SAML2/SOAP/AttributeQuery/idp/profile/SAML1/SOAP/ArtifactResolution
Metadata Management
Handling and storing SAML2 identity provider or service provider metadata can be done in a few ways. To learn more, please review this guide.
Configuration
Support is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml-idp</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-saml-idp"
}
You may also need to declare the following repository in your CAS overlay to be able to resolve dependencies:
1
2
3
4
5
6
repositories {
maven {
mavenContent { releasesOnly() }
url "https://build.shibboleth.net/nexus/content/repositories/releases"
}
}
The following settings and properties are available from the CAS configuration catalog:
cas.authn.saml-idp.core.entity-id=https://cas.example.org/idp
The SAML entity id for the deployment. This setting supports the Spring Expression Language. |
cas.authn.saml-idp.core.attribute-friendly-names=
A mapping of attribute names to their friendly names, defined globally. Example might be |
cas.authn.saml-idp.core.attribute-query-profile-enabled=false
Indicates whether attribute query profile is enabled. Enabling this setting would allow CAS to record SAML responses and have them be made available later for attribute lookups. |
cas.authn.saml-idp.core.authentication-context-class-mappings=
A mapping of authentication context class refs. This is where specific authentication context classes are reference and mapped to providers that CAS may support mainly for MFA purposes. Example might be urn:oasis:names:tc:SAML:2.0:ac:classes:SomeClassName->mfa-duo.
|
cas.authn.saml-idp.core.session-storage-type=HTTP
Indicates whether saml requests, and other session data, collected as part of SAML flows and requests that are kept by the container http session, local storage, or should be replicated across the cluster. Available values are as follows:
|
cas.client.prefix=
Prefix of the CAS server used to establish ticket validators for the client. Typically set to |
cas.client.validator-type=CAS30
Determines the type of ticket validator that CAS should create from the Java CAS client when attempting to issue in-bound ticket validation calls. Available values are as follows:
|
cas.session-replication.cookie.allowed-ip-addresses-pattern=
A regular expression pattern that indicates the set of allowed IP addresses, when |
cas.session-replication.cookie.auto-configure-cookie-path=true
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured. |
cas.session-replication.cookie.comment=CAS Cookie
CAS Cookie comment, describes the cookie's usage and purpose. |
cas.session-replication.cookie.domain=
Cookie domain. Specifies the domain within which this cookie should be presented. The form of the domain name is specified by RFC 2965. A domain name begins with a dot (.foo.com) and means that the cookie is visible to servers in a specified Domain Name System (DNS) zone (for example, www.foo.com, but not a.b.foo.com). By default, cookies are only returned to the server that sent them. |
cas.session-replication.cookie.http-only=true
true if this cookie contains the HttpOnly attribute. This means that the cookie should not be accessible to scripting engines, like javascript. |
cas.session-replication.cookie.max-age=-1
The maximum age of the cookie, specified in seconds. By default, |
cas.session-replication.cookie.name=
Cookie name. Constructs a cookie with a specified name and value. The name must conform to RFC 2965. That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a |
cas.session-replication.cookie.path=
Cookie path. Specifies a path for the cookie to which the client should return the cookie. The cookie is visible to all the pages in the directory you specify, and all the pages in that directory's subdirectories. A cookie's path must include the servlet that set the cookie, for example, /catalog, which makes the cookie visible to all directories on the server under /catalog. Consult RFC 2965 (available on the Internet) for more information on setting path names for cookies. |
cas.session-replication.cookie.pin-to-session=true
When generating cookie values, determine whether the value should be compounded and signed with the properties of the current session, such as IP address, user-agent, etc. |
cas.session-replication.cookie.same-site-policy=
If a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of settings SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute is used so cross-site cookies can only be accessed over HTTPS connections. Accepted values are: Lax, Strict, None.
|
cas.session-replication.cookie.secure=true
True if sending this cookie should be restricted to a secure protocol, or false if the it can be sent using any protocol. |
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc. When possible, properties should be stored in
lower-case kebab format, such as cas.property-name=value.S ettings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.
Actuator Endpoints
The following endpoints are provided by CAS:
Produce SAML2 response entity.
ResponseEntity |
application/xml |
|
|
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPPostProfileHandlerEndpoint |
Produce SAML2 response entity.
ResponseEntity |
application/xml |
|
|
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPPostProfileHandlerEndpoint |
SAML Services
Please see this guide to learn more about how to configure SAML2 service providers.
Security Configuration
Please see this guide to learn more about how to configure SAML2 security configuration.
Attribute Release
Attribute filtering and release policies are defined per SAML service. See this guide for more info.
Name ID Selection
Please see this guide to learn more about how to configure SAML2 security configuration.
Unsolicited SSO
SAML2 IdP Unsolicited/SSO profile supports the following parameters:
| Parameter | Description |
|---|---|
providerId |
Required. Entity ID of the service provider. |
shire |
Optional. Response location (ACS URL) of the service provider. |
target |
Optional. Relay state. |
time |
Optional. Skew the authentication request. |
Attribute Queries
In order to allow CAS to support and respond to attribute queries, you need to make sure the generated metadata has
the AttributeAuthorityDescriptor element enabled, with protocol support enabled for urn:oasis:names:tc:SAML:2.0:protocol
and relevant binding that corresponds to the CAS endpoint(s). You also must ensure the AttributeAuthorityDescriptor tag lists all
KeyDescriptor elements and certificates that are used for signing as well as authentication, specially if the SOAP client of the service provider
needs to cross-compare the certificate behind the CAS endpoint with what is defined for the AttributeAuthorityDescriptor. CAS by default
will always use its own signing certificate for signing of the responses generated as a result of an attribute query.
Also note that support for attribute queries need to be explicitly enabled and the behavior is off by default, given it imposes a burden on CAS and the underlying ticket registry to keep track of attributes and responses as tickets and have them be later used and looked up.
Client Libraries
For Java-based applications, the following frameworks may be used to integrate your application with CAS acting as a SAML2 identity provider:
Sample Client Applications
Troubleshooting
To enable additional logging, modify the logging configuration file to add the following:
1
2
3
4
5
6
7
8
<Logger name="org.opensaml" level="debug" additivity="false">
<AppenderRef ref="console"/>
<AppenderRef ref="file"/>
</Logger>
<Logger name="PROTOCOL_MESSAGE" level="debug" additivity="false">
<AppenderRef ref="console"/>
<AppenderRef ref="file"/>
</Logger>